HTTPS
Topics in this section,
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
High Level Protocol Setup
Experimental Setup
Application
Libraries
Step-1 : Find the IP address of Ubuntu machine
test:~$ ifconfig docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:c2:a4:22:08 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.91.239.13 netmask 255.255.255.0 broadcast 10.91.239.13 inet6 fe80::bb87:2721:82b8:f6cd prefixlen 64 scopeid 0x20<link> ether e4:54:e8:4e:e4:b9 txqueuelen 1000 (Ethernet) RX packets 10426884 bytes 7818062595 (7.8 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3605750 bytes 434038103 (434.0 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 memory 0xdf000000-df020000 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 1097677 bytes 88297298 (88.2 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1097677 bytes 88297298 (88.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
To find the IP address of your Ubuntu machine,use the ifconfig command.
From the output of ifconfig command,for example, 10.91.239.13 is used as the Proxy Server IP.
This Proxy server IP is used when connecting HTTPS server to a client.
Step-2 : Install Squid Proxy Server on Ubuntu
test:~$ pwd /home/test test:~$ sudo apt update test:~$ sudo apt install squidStep-3 : Verify the Installation
test:~$ squid -vStep-4 : Before edit the configuration file
1.Generate SSL certificate because SSL bumping requires the Proxy to decrypt SSL traffic, you need a self-signed SSL Certificate.
test:~$ sudo mkdir -p /etc/squid/ssl_cert test:~$ sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/squid/ssl_cert/squid.key -out /etc/squid/ssl_cert/squid.crt
you will be prompted to enter some information.you can leave it as the default or provide your information.
2.set proper permissions for the SSL key and certificate.
test:~$ sudo chmod 400 /etc/squid/ssl_cert/squid.key test:~$ sudo chmod 444 /etc/squid/ssl_cert/squid.crt
Step-5 : Edit the Squid Configuration file
test:~$ sudo nano /etc/squid/squid.conf #specify the port for squid to listen https_port 3129 tls-cert=/etc/squid/ssl_cert/server.crt tls-key=/etc/squid/ssl_cert/server.key #Define an ACL for the client (replace with your client's IP) acl client_ip src 192.168.0.37 #this could be the actual IP of the client #Allow the client IP to access the proxy http_acess allow client_ip #Define safe ports for HTTP and HTTPS acl safe_ports port 80 #HTTP_Port (http://) acl safe_ports port 443 #HTTPS_port(https://) acl safe_ports port 1025-65535 #allow higher ports. #Allow access to safe ports (HTTP,HTTPS,etc) http_access allow safe_ports #Deny all other clients from accessing the proxy http_access deny all #SSL BUMPING RULES ssl_bump bump all ssl_bump splice all ssl_bump terminate all #Logging and cache settings (optional) access_log /var/log/squid/access.log cache_dir ufs /var/spool/squid 100 16 256 #default cache directory with 100MB space visible_hostname sysadmin //optional
NOTE : comment all the lines in file the above prompt only to save.
Step-6 : Start the Squid server
test:~$ sudo systemctl restart squid test:~$ sudo systemctl enable squid test:~$ sudo systemctl status squidNOTE : If server is not running,check logs at “sudo journalctl -u squid” or “sudo systemctl status squid” and fix the errors.
Step-7 : Allow connection from port 3129 (https port)
test:~$ sudo ufw allow 3129Step-8 : To check the server is listening on port
test:~$ sudo netstat -tuln | grep 3129 tcp 0 0 0.0.0.0:3129 0.0.0.0:* LISTEN tcp6 0 0 :::3129 :::* LISTEN
Step-1 : Find the IP address of Client machine.
test:~$ ifconfig enp3s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether e4:54:e8:0a:f2:75 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 453840 bytes 299962936 (299.9 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 453840 bytes 299962936 (299.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.37 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fd8d:7bbc:1295:8:3e83:f574:906b:9b12 prefixlen 64 scopeid 0x0<global> inet6 fe80::efe6:fe58:4cd1:9a51 prefixlen 64 scopeid 0x20<link> inet6 fd8d:7bbc:1295:8:51a9:e8f4:66d6:3180 prefixlen 64 scopeid 0x0<global> ether c0:b5:d7:0b:ac:5b txqueuelen 1000 (Ethernet) RX packets 3476163 bytes 2223285532 (2.2 GB) RX errors 0 dropped 48920 overruns 0 frame 0 TX packets 450874 bytes 86312159 (86.3 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Step -2 On client machine to connect the server
1.obtain the proxy,s certificate
test:~$ echo | openssl s_client -showcerts -connect 10.91.239.13:3129
This will show you the certificate chain the proxy is presenting.copy the certificate from the output (the blocking starting with —-begin certificate—-and ending with —END CERTIFICATE—).
save it to afile,e.g., proxy_cert.pem.
2.ADD the proxy’s certificate to trusted CA store
1.copy the proxy certificate to /usr/local/share/ca-certificates/
test:~$ sudo cp proxy_cert.pem /usr/loacl/share/ca-certificates/2.update the certificate store
test:~$ sudo update-ca-certificates
this will add the proxy,s self-signed certificate to the list of trusted certificates.
Step-3 : Using Curl
test:~$ curl --proxy https//10.91.239.13:3129 --proxy-cacert /path/to/proxy_cert.pem https://example.com
Expected output:The HTML source code of the webpage hosted at http://example.com
NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the “Setup HTTP Proxy Server on Ubuntu” section above.
Step-4 : Using wget
test:~$ wget --proxy=on --ca-certificate=/path/to/proxy_cert.pem https://10.91.239.13:3129 https://example.com
Expected output:The HTML content of the webpage at http://example.com
NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the “Setup HTTP Proxy Server on Ubuntu” section above.
Step-5 : Using Telnet
test:~$ telnet 10.91.239.13 3129 Trying 10.91.239.13... Connected to 10.91.239.13. Escape Character is '^]'.If the connection fails,the output will be something like connection refused or unable to connect.
NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the “Setup HTTP Proxy Server on Ubuntu” section above.
Step-6 : Using netcat
test:~$ nc -zv 10.91.239.13 3128 Connection to 10.91.239.13 3128 port [tcp/*] succeeded!
NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the “Setup HTTP Proxy Server on Ubuntu” section above.
Step-7 : Using ping
test:~$ ping 10.91.239.13 PING 10.91.239.13 (10.91.239.13 56(84) bytes of data. 64 bytes from 10.91.239.13: icmp_seq=1 ttl=64 time=0.092 ms 64 bytes from 10.91.239.13: icmp_seq=2 ttl=64 time=0.036 ms 64 bytes from 10.91.239.13: icmp_seq=3 ttl=64 time=0.094 ms 64 bytes from 10.91.239.13: icmp_seq=4 ttl=64 time=0.105 ms 64 bytes from 10.91.239.13: icmp_seq=5 ttl=64 time=0.094 ms
NOTE: 10.91.239.13 is the Proxy Server IP address referenced in the “Setup HTTP Proxy Server on Ubuntu” section above.
squid
Test Cases
Frame Sequence
Wireshark Capture
packet 1
packet 2
FAQs
Reference links